Are there any production-quality web frameworks that are secure "by default"? I'm an experienced software developer but completely new to web development. I just discovered csrf, xss, cors, etc which seem to be easy to fall into by mistake/inexperience and I really don't want to goof-out.
Frameworks can be secured as far as their internal implementations go, but they can't stop you from exposing yourself to these vulnerabilities yourself. There's no shortcut to this -- you need to study common attack vectors in web protocols and web browsers.<p>In general, you're better off with popular, open-source frameworks that are still getting updates by a team of paid professionals (usually through corporate sponsorship). Strong, static types also help.<p>For a beginner, .NET 6 is a pretty good "batteries included" starting point that doesn't require as much caution when importing third-party libraries (as opposed to Node/npm).
You can try some of them. It all depends on your language of chopice proficiency. There's no such OOTB solution but some frameworks have good options.
Django (Python), Laravel (PHP) and Spring Boot (Java) are some options.
For enterprise level security (you'd still have to configure some of it by yourself) I would d go with Spring Boot and its Spring Security module (<a href="https://spring.io/projects/spring-security" rel="nofollow">https://spring.io/projects/spring-security</a>).